b"July 27, 2010\n\nJOSEPH D. MOELLER\nMANAGER, REGULATORY REPORTING AND COST ANALYSIS\n\nSUBJECT: Audit Report \xe2\x80\x93 Cost and Revenue Analysis Reporting Model\n         (Report Number CRR-AR-10-003)\n\nThis report presents the results of our self-initiated audit of the Cost and Revenue\nAnalysis (CRA) reporting model (Project Number 09RG025CRR000). Our objective was\nto evaluate the controls over the development and maintenance of CRA reports.\n\nThe Postal Accountability and Enhancement Act of 2006 (the Postal Act of 2006)\nrequires the U.S. Postal Service Office of Inspector General (OIG) to regularly audit the\ndata collection systems and procedures the Postal Service uses to prepare its reports\nanalyzing costs, revenue, rates, and quality of service for the Postal Regulatory\nCommission (PRC). This audit addresses strategic and financial risk. See Appendix A\nfor additional information about this audit.\n\nThe Postal Service annually prepares the CRA report to determine whether it complied\nwith the statutory requirement that each class or type of mail service bear the direct and\nindirect costs attributable to that class or service. The Cost Attribution group under\nRegulatory Reporting and Cost Analysis prepares the CRA report, which is appended to\nthe Annual Compliance Report (ACR) provided to the PRC.\n\nThe Postal Service uses the CRA model, which consists of a set of Excel workbooks\nwith embedded formulas and programming code that perform cost compilations and\nother calculations, to prepare the CRA report. The model uses cost information from the\nagency\xe2\x80\x99s accounting system and cost allocation ratios derived from various operational\nand statistical information sources to prepare the CRA report. The cost, operational, and\nstatistical data from various sources, including accounting systems and subsystems\n(such as the In-Office Cost System (IOCS) and the Revenue, Pieces, and Weight\n(RPW) Report) is input into the CRA model. The final CRA report is prepared by\nexecuting the programs within the CRA model workbooks and completing certain quality\ncontrol checks.\n\x0cCost and Revenue Analysis Reporting Model                                CRR-AR-10-003\n\n\n\nConclusion\n\nControls over the development and maintenance of CRA reports were generally\nadequate. Specifically, supporting workbooks, formulas, and computer programming\ncode incorporated into the CRA model function as intended. The structure of the CRA\nmodel enables verification of data from the source systems against the final report. In\naddition, Cost Attribution personnel validate computations and cost allocations to\nensure accuracy and maintain adequate supporting documentation.\n\nHowever, the Postal Service needs to establish proper access controls for its\n                                              to limit file access to personnel who\nprepare and maintain CRA reports. In addition, the Postal Service can further enhance\ncontrols by improving CRA process documentation and following best practices in\nmaintaining computer programming documentation for the CRA model.\n\nAccess Controls\n\nAccess controls are inadequate to safeguard the CRA model and relevant workbooks.\n                                                                      , 28 employees have\nunrestricted read and write privileges to CRA supporting files\n               while only 15 users require access to these files. Personnel from the Cost\nAttribution group stated that they use                            for convenience rather\nthan segregating and limiting access to the CRA files.\n\nImplementing an appropriate control process over CRA model workbooks is critical\n\n          , exposing them to an increased risk of error. According to management,\nestablishing password controls over individual workbooks would reduce the efficiency of\npreparing the CRA report. However, password controls could be implemented over the\nprogramming code within each workbook and administrators could maintain workbooks\nseparately                   Strengthening access controls will enhance the security of\nthese files and assist in ensuring that the over $70 billion in costs reported in the CRA\nmodel are accurate.\n\nWe recommend the manager, Regulatory Reporting and Cost Analysis, direct the\nmanager, Cost Attribution, to:\n\n1. Incorporate access controls such as password protection in the modules containing\n   computer programming code.\n\n2. Coordinate with Information Technology to implement controls to limit access to the\n   Cost and Revenue Analysis model and related workbooks to authorized users.\n\n\n\n\n                                            2\n\x0cCost and Revenue Analysis Reporting Model                                                      CRR-AR-10-003\n\n\n\nProgram Documentation\n\nThe Postal Service has not fully documented the process used to prepare the CRA\nreport. The Postal Service relies on various documentation including the Summary\nDescription, ACR Schedule, programmers\xe2\x80\x99 manuals, and procedures for CRA report\npreparation. However, the various documents do not always complement each other or\nthey contain obscure descriptions regarding the actual calculations that are performed.\nFor example, both the fiscal year (FY) 2008 Summary Description and a control file1\nlisted equipment categories for allocating operating equipment maintenance expense.\nHowever, the two lists contained different equipment categories. While we did verify that\nthe files contained the correct equipment category, these inconsistencies could lead to\nfuture errors. During the audit, management took corrective action and updated the\nFY 2009 Summary Description. Although necessary changes were made to the\nprogram code, the programmers\xe2\x80\x99 manuals have not been updated since 2006 to ensure\nthat VBA program code conforms to the cost allocation principles described in the\nSummary Description of USPS Development of Costs by Segments and Components\nprepared annually for the PRC.\n\nManagement believes that the milestones developed annually for the CRA process\nensure timely filing of the report to the PRC and that further documentation is not\nnecessary. However, incomplete or unclear procedures could lead to errors in the CRA\nreport and deter the timely detection of errors.\n\nWe recommend the manager, Regulatory Reporting and Cost Analysis, direct the\nmanager, Cost Attribution, to:\n\n3. Update the programmer\xe2\x80\x99s manuals to include calculation logic that is consistent with\n   established business rules and programming codes.\n\nProgramming Best Practices\n\nWe reviewed 11 calculation routines within the CRA model and a sample of\ncomponents, distribution keys, and calculated values. The CRA model calculations\nworked as intended and the documentation provided for the model contained relevant\ndata; however, we noted that the VBA programming code does not always follow best\npractices for optimal performance with regard to:\n\n\xef\x82\xa7 Using the option explicit statement2 to require explicit variable declarations.3 VBA\n   allows variables to be declared either explicitly (generally at the beginning of the\n   script or procedure), or implicitly (as needed within the program). The VBA programs\n\n1\n  A workbook titled FY 08.cntl.xls, which is part of the CRA model.\n2\n  The option explicit statement requires that all variables be declared using a Dimension (Dim) statement. The VBA\nprogram compiler will generate an error when it encounters an undeclared or misspelled variable and the code will\nnot execute until the error is corrected.\n3\n  A variable stores temporary information that is used for execution within the procedure, module or workbook.\n\n\n\n\n                                                         3\n\x0cCost and Revenue Analysis Reporting Model                                 CRR-AR-10-003\n\n\n\n    in the CRA model do not contain the option explicit statement that requires the\n    specific naming of variables in the script or individual procedure.\n\n    Explicit variable declaration is considered best practice because the developer must\n    define each variable before using them in code. The VBA program compiler will\n    generate an error when it encounters an undeclared variable and the code will not\n    execute until the error is corrected.\n\n    Use of implicit declarations can lead to unintended results if variables are\n    misspelled. For example, if a variable named \xe2\x80\x9ciClass\xe2\x80\x9d is used in one portion of the\n    code, use of \xe2\x80\x9ciClas=25\xe2\x80\x9d later in the code will result in creation of a new variable\n    \xe2\x80\x9ciClas\xe2\x80\x9d being assigned a value equal to 25, rather than this value being assigned to\n    \xe2\x80\x9ciClass\xe2\x80\x9d as intended. This type of programming error can be difficult to identify (but\n    easily corrected once identified) because program execution is not aborted. Using\n    the option explicit statement would prevent the use of misspelled variable names\n    because these names must be declared in a Dimension statement.\n\n\xef\x82\xa7   Specifying variable types in subroutines. The subroutine declarations in the VBA\n    program code do not identify the type of each variable used within the subroutine. In\n    the absence of variable type information, the VBA environment would consider all\n    variables as a generic variant type which can be any type of data element. For\n    example, the subroutines in the module for allocating costs use variables without\n    type declarations to represent different data elements such as variability factors,\n    component numbers, total costs, and spreadsheet names. Use of variants requires\n    the VBA compiler to add program code to test which type of data is actually stored in\n    the variable, adding overhead to the program.\n\n    Best practices in computer programming require that variables types be correctly\n    declared in the subroutine. Incorporating the proper type declarations in subroutines\n    will help program portability to newer versions and lead to easier code maintenance\n    and faster program execution.\n\n\xef\x82\xa7   Retaining obsolete code. Various workbooks contain obsolete VBA code that was\n    incorporated into the program during the development stage but this code has not\n    been removed from the production routines. For example, all 11 calculation routines\n    we reviewed contained \xe2\x80\x9ccommented out\xe2\x80\x9d code that was no longer necessary due to\n    programming elsewhere in the calculation routines. Although calculations may not\n    be affected by obsolete code, deleting it can simplify code maintenance and prevent\n    its inadvertent reactivation. In addition, obsolete code could cause confusion for new\n    users.\n\nPostal Service personnel and the contractors who developed the code stated they\nbelieve the current program code produces the results prescribed by the PRC for CRA\nreporting and that some obsolete code which has been disabled might be needed in the\n\n\n\n\n                                             4\n\x0cCost and Revenue Analysis Reporting Model                                 CRR-AR-10-003\n\n\n\nfuture. However, implementing best practices in programming will help ensure program\nintegrity and robustness, future compatibility, and efficient program maintenance.\n\nWe recommend the manager, Regulatory Reporting and Cost Analysis, direct the\nmanager, Cost Attribution, to:\n\n4. Conduct a source code review and incorporate best practice methodologies for code\n   development and deletion of disabled obsolete code.\n\nManagement\xe2\x80\x99s Comments\n\nManagement concurred with our findings and recommendations. In response to\nrecommendation 1, management stated the manager, Cost Attribution, will investigate\nadding password protection to the VBA code in the CRA spreadsheets, but added that\nthere are mitigating controls in place that provide a very high level of protection. In a\nsubsequent correspondence, management stated they would complete this review by\nAugust 31, 2010.\n\nIn response to recommendation 2, management stated they deployed a dedicated\nserver to store the CRA model and related workbooks. After reviewing workflows and\naccess requirements, management granted 16 authorized users write access to these\nresources.\n\nIn response to recommendation 3, management stated that, while updating the CRA\nprogrammer manual for routines added or deleted since 2006 would be useful,\nbudgetary constraints make the updating of manuals not required by the Postal\nRegulatory Commission a low priority. Management also stated that it would first be\nnecessary to implement any programming changes that they determine necessary\nfollowing a source code review and incorporation of best practices.\n\nIn response to recommendation 4, management stated that, while they agree with the\nintent of the recommendation, a thorough source code review and incorporation of best\npractices methodologies would require extensive contractor hours and would not be the\nmost productive use of limited funding. Further, retention of some \xe2\x80\x9cobsolete\xe2\x80\x9d code might\nbe useful in future development work. Management has already deleted some disabled\ncode in connection with ongoing coding work and will continue similar \xe2\x80\x9chousecleaning\xe2\x80\x9d\nefforts whenever practical so they can implement these changes in an efficient manner.\nSee Appendix B for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service OIG considers management\xe2\x80\x99s comments responsive to the\nrecommendations in the report. Regarding recommendation 1, we recognize that there\nwere compensating controls in place; however, we do not believe these controls were\nadequate since a dedicated server with access restrictions was not in place at the time\n\n\n\n\n                                             5\n\x0cCost and Revenue Analysis Reporting Model                                CRR-AR-10-003\n\n\n\nof our audit. Management stated, in response to recommendation 2, that a dedicated\nserver with appropriate access controls is now in place. In addition, management\nreduced the number of users with write access to CRA spreadsheets placed on the\nshared network drive to 16 users and agreed to explore the feasibility of password\nprotecting the VBA code. Therefore, we consider the actions taken to be responsive to\nrecommendations 1 and 2.\n\nRegarding recommendations 3 and 4, while we understand that there are financial and\nresource restrictions, we believe that fully documenting the CRA process and\nincorporating best practice methodologies for code development and deletion of\ndisabled obsolete code as resources permit will further assist in the accurate and timely\ncompletion of the CRA report.\n\nThe OIG considers recommendations 1 and 2 significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. The management response to recommendation 2 is\nsufficient to close that recommendation; recommendation 1 should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendation can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Paul Kuennen, director, Cost,\nRevenue, and Rates, or me at 703-248-2100.\n\n\n   E-Signed by Darrell E. Benjamin, Jr\n   VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Joseph Corbett\n    Hadi Alsegaf\n    Jeffrey L. Colvin\n    Corporate Audit Response Management\n\n\n\n\n                                            6\n\x0cCost and Revenue Analysis Reporting Model                               CRR-AR-10-003\n\n\n\n                        APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe Postal Act of 2006 requires that each class or type of mail service bear the direct\nand indirect costs of that class or service. The Postal Service annually prepares the\nCRA report to help determine that it is meeting this legal requirement. The Postal\nService prepares cost and revenue information by product using methods approved by\nthe PRC.\n\nThe Postal Service prepares public and non-public versions of the CRA report. While\nthe public version contains detailed cost information for market-dominant products and\nlimited information regarding competitive products, the non-public version includes\ndetailed cost information relating to competitive products.\n\nThe Postal Service\xe2\x80\x99s accounting system contains the basic data required for preparing\nthe CRA report. However, the accounting system generally does not accumulate\nfinancial data by categories of mail. Apportionment factors, derived from various postal\noperational and statistical information sources, are required for developing data for the\nCRA report. Some of these sources are dedicated to this purpose and involve extensive\nstatistical sampling of Postal Service activity during the year. The Postal Service\ncompares and scales the calculated amounts to actual data in the postal system of\naccounts, as appropriate.\n\nThe Postal Service uses a model based on Microsoft Excel to develop the CRA report.\nOver 30 workbooks and supporting documents are involved in the process of importing\ndata, calculating the desired output, and generating various workbooks and reports\nincluding the CRA report. The CRA model consists of interlinked worksheets with\napproximately 200,000 formulas and 13,000 lines of VBA programming code for\nperforming calculations and cost allocations. Annually, data from various sources, such\nas IOCS, Rural Carrier Cost System, the RPW, and the trial balance are imported\nmanually and automatically into data workbooks. Once all relevant data are populated,\nthey are uploaded into the CRA model for the calculation and generation of the CRA\nreport.\n\nThe Cost Attribution group in Regulatory Reporting and Analysis is responsible for\npreparing the CRA report and maintaining the CRA model. The Forecasting group in\nFinance uses the CRA model for quantitative analysis and forecasting purposes.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to evaluate controls over the development and maintenance of the\nCRA reports. To accomplish our objective, we reviewed available policies and\nprocedures. We interviewed personnel in the Cost Attribution office and the PRC. We\nalso reviewed worksheets and programmers\xe2\x80\x99 manuals provided by the Postal Service to\n\n\n\n\n                                            7\n\x0cCost and Revenue Analysis Reporting Model                                    CRR-AR-10-003\n\n\n\ngain an understanding of business rules and determine the risks and potential\ndeficiencies of controls over the development and maintenance of the CRA reporting\nmodules. We created an inventory of all formulas used in the CRA preparation process.\nFrom this inventory, we evaluated a statistical sample of formulas included in key\nworksheets within the model and reviewed them for accuracy and completeness. We\ntraced selected components' corresponding figures to the the cited source.\n\nWe also used a contractor to determine whether the VBA programs used in the CRA\nmodel adequately function to produce expected result in accordance with Summary\nDescription and other requirements documents. We evaluated the contractor\xe2\x80\x99s findings\nto reach our conclusions regarding the VBA program.\n\nWe conducted this performance audit from July 2009 through July 20104 in accordance\nwith generally accepted government auditing standards and included such tests of\ninternal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We did not test system production data but instead focused on the\nreliability of the VBA code and workbook formulas to produce expected results. We\nbelieve our tests of the reliability of spreadsheet formulas and VBA code provide a\nreasonable basis for our findings and conclusions based on our audit objective. We\ndiscussed our observations and conclusions with management officials on\nJune 3, 2010, and included their comments where appropriate.\n\nPRIOR AUDIT COVERAGE\n\nWe did not identify any prior audits of the CRA model.\n\n\n\n\n4\n    We suspended this project from December 30, 2009 through May 24, 2010.\n\n\n\n\n                                                        8\n\x0cCost and Revenue Analysis Reporting Model                  CRR-AR-10-003\n\n\n\n                       APPENDIX B: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                            9\n\x0cCost and Revenue Analysis Reporting Model        CRR-AR-10-003\n\n\n\n\n                                            10\n\x0c"